Wary of giving your password to yet another site? – OAuth to the rescue

January 5, 2008

Note: This post is over 4 years old. It was first published in January 2008

Woah there! You’ve found yourself on an old article. Take note of the date before reading.

I’ve just been doing a spot of reading about oAuth and thought I’d do a quick post on it. This was a hot topic back in October, so I seem to be rather late to the discussion – if you are too, read on…

“Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your atm card and pin code to the waiter when it’s time to pay. Any restaurant asking for your pin code will go out of business, but when it comes to the web, users put themselves at risk sharing the same private information. OAuth to the rescue.” [Excerpt from An end-user overview of oAuth by Eran Hammer-Lahav (Oct 2007)]

2 comments

Anita

January 7, 2008

This idea of being taken to another site to sign in sounds phishable.

You could send them to a spoof site that looks and feels like the original, then get them to sign in. The user might do so because they are used to this happening, and because they falsely believe it is somehow safe because they are protected by oAuth.

One thing you can do for sites like Facebook and other semi-trusted sites is change your password to something temporary, give them your password, let them do their thing, and then change it back. This is only safe if you don’t think Facebook is going to do something dodgy while it’s got your password. What changing your password does do is makes it so that if somehow Facebook’s logs got hacked, and if the password you gave Facebook was somehow in those logs, then the hackers have a deadend password.

I’ve never ever even clicked that button on Facebook for fear it will do something horrible like spam all my friends.